Recently, Microsoft has announced the general availability of Application Security Groups (ASG) in all Azure regions. The ASG feature provides micro-segmentation security for virtual networks in Azure which enable users to define network security policies based on workloads, centralized on applications. In case of a security breach, this ASG feature limits the potential impact of lateral exploration of networks from hackers.

Source: Microsoft Azure

Security definition simplified

With ASGs, filtering traffic based on applications patterns is simplified, using the following steps:

Define your application groups, provide a moniker descriptive name that fits your architecture. You can use it for applications, workload types, systems, tiers, environments or any role.

Define a single collection of rules using ASGs and Network Security Groups (NSG), you can apply a single NSG to your entire virtual network on all subnets. A single NSG gives you full visibility on your traffic policies and a single place for management.

Scale at your own pace. When you deploy VMs, make them members of the appropriate ASGs. If your VM is running multiple workloads, just assign multiple ASGs. Access is granted based on your workloads. No need to worry about security definition again. More importantly, you can implement a zero-trust model, limiting access to the application flows that are explicitly permitted.

Single network security policy

ASG enables the ability to deploy multiple applications within the same subnet and also allows users to centralize the configuration with the following beneficial points-

Centralized NSG view: All traffic policies in a single place. It’s easy to operate and manage changes. If you need to allow a new port to or from a group of VMs, you can make a change to a single rule.

Centralized logging: In combination with NSG flow logs, a single configuration for logs has multiple advantages for traffic analysis.

Enforce policies: If you need to deny specific traffic, you can add a security rule with high priority and enforce administrative rules.

Filtering east-west as well as north-south traffic

The company tells that ASGs are capable of filtering east-west and north-south traffic to make it more secure and easy to manage. ASG uses strict security rules to isolates the workloads and VM branches so as to minimize the risk of attacking.

Source: Microsoft Azure

The company also welcomes the feedback on ASGs from the users as it helps them to move in the right direction. In this technical world where some bad actors are always trying to take you down with some hacking, this security feature is commendable.